See openid-connect Menu
  1. Home >
  2. OpenId Connect >
  3. API Reference - Latest >
  4. Device Code Flow - Token

Device Code Flow - Token

Use this API from your input-constrained device to check the status of authorization and get a token set containing Access, Refresh and ID Tokens after completed authorization.

Device Code Flow enables OIDC on devices that have an internet connection but don’t have a browser or an easy way to enter text. This flow is seen on devices such as smart TVs, media consoles, picture frames, printers, or hardware video encoders. In this flow, the device instructs the user to open a URL on a secondary device such as a smartphone or computer in order to complete the authorization. There is no communication channel required between the user’s two devices.

Endpoints

To find proper endpoints for your organization’s use, go to https://your-subdomain.onelogin.com/oidc/2/.well-known/openid-configuration and look for the following code:


"device_authorization_endpoint":
    "https://your-subdomain.onelogin-shadow01.com/oidc/2/device/auth",
"token_endpoint":
    "https://your-subdomain.onelogin-shadow01.com/oidc/2/token",
"grant_types_supported": [
    "urn:ietf:params:oauth:grant-type:device_code",
]

Resource URL

https://<subdomain>.onelogin.com/oidc/2/token

Header Parameter

authorization

Required if Token Endpoint Authentication Method is set to Basic

content-type

application/x-www-form-urlencoded

Resource Parameter

subdomain

required

string

Set to the subdomain of your OneLogin instance.

e.g. oidc-sample where the instance is https://oidc-sample.onelogin.com

Request Parameter

grant_type

required

string

 urn:ietf:params:oauth:grant-type:device_code

device_code

required

string

The device_code from the Device Authorization Request response

client_id

required

string

The OneLogin generated Client ID for your OpenID Connect app.

Sample Response

  • Pending authorization
  • Authorization completed
{
    "error": "authorization_pending",
    "error_description": "authorization request is still pending as the end-user hasn't yet completed the user interaction steps"
}
{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjRndlRmMkNp...",
    "expires_in": 3600,
    "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjRndlRmMkNpU1B6...",
    "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjRndlRmMkN...",
    "scope": "openid profile email",
    "token_type": "Bearer"
}

OIDC Rate Limit

Authentication

Type

Endpoint

Quantity

Time

Burst (per second)

OpenId Connect

oidc/auth

600

minute

40

 

oidc/token

1800

minute

40

 

oidc/*

600

minute

40

Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.